Filter
Top Products
13-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
Related Topics
• Identifying Active Directory Servers and Agents, page 13-8
• Requirements for Identity-Aware Firewall Policies, page 13-3
Field Reference
Table 13-5 Identity Options Advanced Tab
Element Description
Enable User Identity Whether to enable the device to obtain user identity information from
the AD agent and AD servers, if they are configured on the AD Setup
tab. The default is enabled.
If you change this option and deploy, the change has the following
effect based on the new setting:
• Disabled—The entire IP address to user mapping database is
flushed and all users without activated user-specific rules are
released. The AD agent and servers are no longer queried for
updates, and all activated user-identity-based rules will have no
effect on traffic.
• Enabled—Activated users are recreated gradually through
communications with the AD agent. VPN users might need to
reauthenticate. Queries to the AD agent and AD server
recommence.
Error Conditions
Disable Rules When Active
Directory Agent Is Down
Whether to disable all rules that include user identity if the connection
to the AD agent is unavailable. If you select this option, all user-to-IP
address mappings are marked disabled and all rules that include user
specifications are not applied to traffic. By default the option is
disabled.
Remove User IP When
NetBIOS Probe Fails
Whether to remove the User’s IP address mapping from the database if
the NetBIOS probe for the user fails for any reason, whether the probe
is somehow blocked in the network or the probe fails because the user
is not in operation. The user must log into the workstation again. This
option has effect only if you enable the NetBIOS logout probe on this
page. By default the option is disabled.
Remove User IP When
User’s MAC Address is
Inconsistent
Whether to check the Media Access Control (MAC) address in each
request from a user-mapped IP address to the MAC address in the
previous packet.
If you select this option, and the MAC address changes between
packets, the user-to-IP address mapping is removed from the database,
subsequent packets are dropped, and the user must reauthenticate to
Active Directory. The AD agent is notified if the user-to-IP mapping is
removed due to MAC mismatch. By default this option is enabled.
MAC checking occurs only on packets from IP addresses on networks
that are directly attached to the ASA. VPN users are not checked.
Track User Not Found Whether to enable user-not-found tracking. By default, the option is
disabled.